Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Fri, 29 May 2026 16:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Sherlock-project
Sherlock-project sherlock |
|
| Vendors & Products |
Sherlock-project
Sherlock-project sherlock |
Thu, 28 May 2026 14:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 27 May 2026 20:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Sherlock hunts down social media accounts by username across social networks. Prior to 0.16.1, the GitHub Actions workflow validate_modified_targets.yml is vulnerable to command injection via the pull_request_target trigger. Any GitHub user can execute arbitrary commands on the CI runner and exfiltrate the GITHUB_TOKEN by opening a pull request. No approval, review, or merge is required. This vulnerability is fixed in 0.16.1. | |
| Title | Sherlock: Command Injection via pull_request_target in validate_modified_targets.yml | |
| Weaknesses | CWE-78 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-05-28T13:28:18.355Z
Reserved: 2026-05-06T21:49:12.425Z
Link: CVE-2026-44590
Updated: 2026-05-28T13:28:14.791Z
Status : Deferred
Published: 2026-05-27T20:16:37.293
Modified: 2026-06-17T10:50:53.513
Link: CVE-2026-44590
No data.
OpenCVE Enrichment
Updated: 2026-05-29T15:50:16Z